From c93ec85e9f91739aa812d08f3523edd1a912fda0 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Fri, 6 Dec 2024 10:51:58 -0500 Subject: [PATCH] add commit signature checking when building software --- .../src/verifying-signatures.md | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/quorum-key-management/src/verifying-signatures.md b/quorum-key-management/src/verifying-signatures.md index e185f08..2ab2195 100644 --- a/quorum-key-management/src/verifying-signatures.md +++ b/quorum-key-management/src/verifying-signatures.md @@ -1,6 +1,34 @@ # Verifying Signatures -When building and downloading software it is essential to verify signatures to ensure its integrity. +When building and downloading software it is essential to verify signatures to ensure its integrity. It is also important to verify that the latest commit, and ideally that all commits that are being used to build from are verified to have signatures from trusted keys. This can be done using `git verify-commit HEAD` or similar. A script like below can be modified to check for trusted keys for all commits: + +```bash +#!/bin/bash + +mapfile -t trusted_keys < trusted_keys.txt + +is_trusted_key() { + local key="$1" + for trusted_key in "${trusted_keys[@]}"; do + if [[ "$key" == "$trusted_key" ]]; then + return 0 + fi + done + return 1 +} + +git rev-list --all | while read commit; do + if git verify-commit "$commit" > /dev/null 2>&1; then + key_id=$(git show "$commit" | grep 'gpgsig' | awk '{print $NF}') + + if ! is_trusted_key "$key_id"; then + echo "$commit: Signed but NOT by a trusted key ($key_id)" + fi + else + echo "$commit: Not signed" + fi +done +``` Verification of software depends on two primary aspects: